Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Pattern Assurance through Round-Trip Engineering

Published byCorey Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Pattern Assurance through Round-Trip Engineering"— Presentation transcript:

1 Security Pattern Assurance through Round-Trip Engineering
Amnon H. Eden School of Computer Science & Electronic Engineering University of Essex

2 Abstract Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making, modelling and enforcing design decisions involving security patterns: Making design decisions, by creating a guide for the transition from requirements to tactics and from tactics to patterns Modelling design decisions, by capturing the constraints that each security pattern imposes clearly, precisely and with minimal effort Enforcing design decisions, by developing tools for fully automated conformance checking

3 Contents Making design decisions Modelling design decisions
From requirements to tactics to patterns Modelling design decisions Structure: Codecharts Behaviour: Temporal logic Enforcing design decisions Tool support Round-trip engineering

4 Example Requirement: withstand attacks —————————————
1 Example Requirement: withstand attacks ————————————— Make design decision Tactics: Limit Exposure Pattern: Check Point Codify the decision Structure: Codecharts) Behaviour: Temporal logic Enforce the decision Map pattern to implementation Verify with the Toolkit 2 3

5 Project Security Pattern Assurance through Round-trip Engineering
LENS (Line-funded Exploratory New Starts) Software Engineering Institute, Carnegie-Mellon University $125K Rick Kazman SEI & U of Hawaii Abdullah Alzahrani U of Essex Jungwoo Ryoo Penn State Rob Wojcik SEI Amnon H. Eden U of Essex Gary Chastek SEI

6 Making design decisions
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Requirements  Tactics  Patterns Making design decisions

7 Tactics Fine-grained design objectives
Each contributes to one quality attribute: Availability Interoperability Modifiability Performance Security Testability Usability (Bass, Clements, Kazman 2012)

8 Tactics hierarchy (Ryoo, Kazman & Laplante 2012)

9 Guide Tactics Patterns:
Single Access Point, Check Point, Roles, Session, Full View with Errors, Limited View, Security Access Layer, Intercepting Validator, Secure Logger, …

10 Modelling design decisions: Structure
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Codecharts Modelling design decisions: Structure

11 Single Access Point (SAP) pattern
Intent Defines one interface for all communication between external entities and secured components Participants External Entities Internal Entities Single Access Point (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad ) (Wasserman & Cheng 2003)

12 SAP: structure The class Single Access Point is the only one that interacts with external entities Single Access Point is an appropriate place for capturing an information log on the parties currently accessing the system (Wasserman & Cheng 2003)

13 Security patterns Check Point pattern Intent Participants
A component that intercepts and monitors all incoming requests. In case of violations then it is responsible for taking appropriate countermeasures Participants CheckPoint Countermeasure SecurityPolicy (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad ) (Wasserman & Cheng 2003)

14 Security patterns: structure
Check Point pattern (cont.) CheckPoint implements a method to check messages according to the current security policy and triggers countermeasures or allows the message to proceed to the intended recipient Countermeasure provides actions that can be triggered in order to react to an access violation SecurityPolicy implements the rules that determine whether a request is granted (Wasserman & Cheng 2003)

15 Modelling structure Check Point (Wasserman & Cheng 2003)
Class Diagrams Check Point (Wasserman & Cheng 2003)

16 Modelling structure Check Point (Wasserman & Cheng 2003)
Class Diagrams 3. Is it class “CheckPoint”? 1. Which method calls which? 2. What’s this? Check Point (Wasserman & Cheng 2003)

17 Modelling structure Check Point (Wasserman & Cheng 2003)
Codecharts Call(checkRequestcheckPoint,TriggercounterMeasure) InternalEntities : P CLASS counterMeasure : CLASS checkPolicy : SIGNATURE Trigger : P SIGNATURE Check Point (Wasserman & Cheng 2003)

18 Modelling structure CheckPoint
Codechart Modelling structure Schema singleAccessPoint, checkPoint, counterMeasure, securityPolicy : CLASS InternalEntities : P CLASS access, checkPolicy, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE Call(accesssingleAccessPoint, checkRequestcheckPoint) Call+(checkRequestcheckPoint, SecureActionsInternalEntities) … CheckPoint Check Point (Wasserman & Cheng 2003)

19 Modelling structure CheckPoint encapsulates the security policy
Class Diagrams CheckPoint encapsulates the security policy Many policies Þ many CheckPoints Common? Unique? One concrete CP or many? Check Point (Schumacher et al. 2006)

20 CheckPointHierarchy : HIERARCHY
Codechart Modelling structure Schema CheckPointHierarchy : HIERARCHY CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy) Call(accesssingleAccessPoint, SecureActionsInternalEntities) … CheckPoint2 Check Point (Schumacher et al. 2006)

21 Modelling structure: Codecharts
Methods, sets, signatures Precise criterion of correctness Communication; verification; automation, … Variations become evident Check Point (Wasserman et. al 2003) Check Point (Schumacher et al. 2006)

22 Modelling design decisions: Behaviour
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Codecharts Modelling design decisions: Behaviour

23 Security patterns: behaviour
CheckPoint checks if msg conforms to the policy. If no, triggers a countermeasure If yes, allows msg to proceed to the intended recipient Countermeasure reacts to an access violation when triggered Client receives granted/denied access message Check Point (Wasserman & Cheng 2003)

24 Modelling behaviour Check Point (Wasserman & Cheng 2003)
Sequence Diagrams Limited abstractions Difficult to represent global constraints Limited tool support in verification Check Point (Wasserman & Cheng 2003)

25 Problematic integration
Modelling behaviour Statecharts Limited to FSAs Problematic integration Check Point (Wasserman & Cheng 2003)

26 Modelling behaviour Temporal Logic W (CheckPoint.denyAccess Þ à CounterMeasure.triggered) W (CheckPoint.denyAccess Þ Client.fail U Client.idle) W (CheckPoint.grantAccess Þ (à Client.succeed) U Client.idle) Availability Check Point (Wassermann & Cheng 2003)

27 Enforcing design decisions
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Automated verification The TTP Toolkit Enforcing design decisions

28 Check Point: implementation
Java Authentication & Authorization Service (JAAS) Java implementation of Pluggable Authentication Module (PAM) Information security framework Originally developed for Solaris operating system Other implementations: PAMLinux Used: Apache Web server validate each HTTP request according to a configured activation sequence Implements the Check Point pattern

29 Security patterns: structure
Apparent similarity… Check Point Pattern JAAS

30 Enforcing structure Assignment of constants to variables Check Point

31 Enforcing structure: verification

32 Enforcing structure: automation
Result Assignment Check Point

33 Enforcing behaviour: verification
Wasserman & Cheng (2003): Technique: model checking Tools: MINERVA (Campbell et al. 2002): check consistency of UML HYDRA (McUmber & Cheng): UML  Promela SPIN (Holzman 1997): Model checker Systems tested: small examples Manual Manual (Wasserman & Cheng 2003)

34 Enforcing structure: Verification
JUnit “ArrayList Satisfies JUnit” Assignment ArrayList JUnit example: ArrayList

35 Round-trip engineering
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Round-trip engineering

36 Forward, reverse, & round-trip
(Eden, Gasparis, Nicholson & Kazman, forthcoming)

37 Modelling: detailed

38 Implementation Java 3D

39 Modelling: abstract Java 3D

40 Code analysis Java 3D

41 Verification Successful Java 3D

42 Modelling patterns

43 Verifying patterns (structural conformance to)
Java 3D Implements Factory Method Factory Method in Java 3D

44 Implementation: evolve
Careless change

45 Verification (again)

46 Visualization Package java.util.logging

47 Modelling: evolve

48 Modelling formats Textually(XML) Visually (Codechart) Symbolically
<?xml version=”1.0” encoding=”ISO ”?> <?xml-stylesheet type="text/xsl" href=" <schema xmlns=" title="Factory Method" xmlns:xsi=" xsi:schemaLocation=" <description>The Factory Method design pattern</description> <declarations> <declare> <variable value="Factories" /> <variable value="Products" /> <type value="HIERARCHY" exponent="1" /> </declare> <variable value="factoryMethod" /> <type value="SIGNATURE" exponent="0" /> </declarations> <formulas> <formula> <predicatesymbol value="Isomorphic" /> <relationsymbol value="Produce" transitive="false" /> <superimposition> </superimposition> </formula> </formulas> <!--Generated using the TTP Toolkit on Tue Nov 27 17:42:25 GMT > </schema> Textually(XML) Visually (Codechart) Symbolically (Schema) Factory Method pattern

49 Sidebar: Codecharts

50 Desiderata Automatically verifiable Modelling & visualization
Formal & practical Elegant & parsimonious Visual & symbolic Object-oriented Scalable Generic LePUS3 Vocabulary (Eden & Nicholson 2011)

51 Inspiration: blueprints

52 Visual & symbolic CheckPoint2
Codechart Visual & symbolic Schema CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy) Call(accesssingleAccessPoint, SecureActionsInternalEntities) … CheckPoint2 Check Point (Schumacher et al. 2006)

53 Parsimony “Each Scene Graph State class defines a factory method that creates and returns the respective Scene Graph Object” Java 3D (Eden et al. 2013)

54 Scalability Java 3D API

55 Genericity (Monson-Haefel, 2001, Enterprise JavaBeans) Implemented
“Every bean [class] obtains an EJBContext object, which is a reference to the container “The home interface extends the ...javax.ejb.EJBHome interface “A home [interface] may have many create() methods, … , each of which must have corresponding ejbCreate() and ejbPostCreate() methods in the bean class. The number and datatype of the arguments of each create() are left up to the bean developer” “When a create() method is invoked on the home interface, the container delegates the invocation to the corresponding ejbCreate() and ejbPostCreate() methods on the bean class An implementation for the bean’s home interface is generated by the container.” Implemented User-defined (Monson-Haefel, 2001, Enterprise JavaBeans)

56 Formal method A method is formal if it has a sound mathematical basis which provides the means of precisely defining— Specification Implementation correctness A (formal) specification language: Set Syn (syntactic domain) Set Sem (semantic domain) Relation Sat between them (Guttag, Horning & Wing 1982; Wing 1990)

57 Definitions (Wing 1990)

58 Definitions (Eden & Nicholson 2011)

59 Semantics (Eden & Nicholson 2011)

60 Sidebar: Visualization

61 Inspiration: maps London, England

62 Visualization: Tools SHriMP Class Blueprints Rigi (Ducasse & Lanza 2005; Story et al. 2002; Muller & Klashinski 1988)

63 CC 439: Software Design and Architecture, Autumn term 2006/7
Visualization: Tools Microsoft Foundation Classes (Booch Notation) (Odenthal & Quibeldey-Cirkel 1997) Dr Amnon H Eden, Department of Computer Science, University of Essex

64 CC 439: Software Design and Architecture, Autumn term 2006/7
JBuilder 7 Visualization: Tools Package java.util (Gasparis 2010) Dr Amnon H Eden, Department of Computer Science, University of Essex

65 CC 439: Software Design and Architecture, Autumn term 2006/7
Fujaba Tool Suite 5 Visualization: Tools Package Java3D 1.5 (Maniati 2008) Dr Amnon H Eden, Department of Computer Science, University of Essex

66 CC 439: Software Design and Architecture, Autumn term 2006/7
NetBeans 6.1 Visualization: Tools Package java.util (Gasparis 2010) Dr Amnon H Eden, Department of Computer Science, University of Essex

67 CC 439: Software Design and Architecture, Autumn term 2006/7
NetBeans 6.1 Visualization: Tools Package Java3D 1.5 (about 1,200 classes) (Maniati 2008) Dr Amnon H Eden, Department of Computer Science, University of Essex

68 Visualization: Toolkit
CC 439: Software Design and Architecture, Autumn term 2006/7 Visualization: Toolkit Package JGraph (Eden & Nicholson 2011) Dr Amnon H Eden, Department of Computer Science, University of Essex

69 Visualization: Toolkit
Package java.io

70 Visualization: Toolkit
Package java.awt

71 Visualization: Toolkit
Set Relations JGraph java.util.logging

72 Visualization: Toolkit
Package java.jgraph

73 Visualization: Toolkit
Java Authentication & Authorization (JAAS)

74 Future directions

75 Runtime verification Enforce behavioural design decisions
Specified in LTL, Statecharts, sequence diagrams, … A.k.a. runtime monitoring Technique: Monitor program’s execution / read execution trace Determine conformance to specifications Violations trigger actions Languages & tools Eagle (Barringer, Goldberg, Havelund & Sen 2003) Parameterized RuleR (Barringer, Rydeheard & Havelund 2010) PathExplorer (Havelund & Roşu 2001) MOP (Chen & Roşu 2007)

76 Thank you

77 Bibliography Codecharts www.lepus.org.uk
Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Codecharts A.H. Eden, J. Nicholson. Codecharts: Roadmaps and Blueprints for Object-Oriented Programs. Wiley-Blackwell, 2011 A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman (2013). “Modeling and Visualizing Object-Oriented Programs with Codecharts”. Formal Methods in System Design, 43(1), 1–28 A.H. Eden, E. Gasparis, J. Nicholson. “LePUS3 and Class-Z Reference Manual”. University of Essex, Tech. Rep. CSM-474 (2007). Toolkit A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman.“Round-Trip Engineering with the TTP Toolkit”. Forthcoming Amnon H Eden, Department of Computer Science, University of Essex

78 Bibliography Research project
Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Research project J. Ryoo, R. Kazman, A.A.H. Alzahrani, A.H. Eden. “Designing for Security Using Tactics, Patterns, and Automated Verification”, in preparation Tactics Bass, L., Clements, P., & Kazman, R. (2012). Software Architecture in Practice, 3rd ed. (3rd ed.). Addison-Wesley Professional. J. Ryoo, R. Kazman, and P. Laplante, “Revising a Security Tactics Hierarchy through Decomposition, Reclassification, and Derivation”, The 6th Int’l Conf. Software Security & Reliability, Wash. D.C., 2012 Catalogues Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P. (2006). Security Patterns: Integrating Security and Systems Engineering. Wiley Wassermann, R., Cheng, B. H. C. (2003). “Security Patterns.” Presented at the Pattern Languages of Programs—PLoP 2003 Amnon H Eden, Department of Computer Science, University of Essex

79 Bibliography Runtime verification
Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Runtime verification Barringer, H., Goldberg, A., Havelund, K., & Sen, K. (2003). Eagle monitors by collecting facts and generating obligations. Tec. Rep. CSPP-26, U. of Manchester, Dept. of Computer Science. Barringer H, Rydeheard D, Havelund K. Rule systems for run-time monitoring: from EAGLE to RULER. J. of Logic & Comp. 2010, 20(3) Havelund K, Roşu G. Monitoring java programs with java PathExplorer. ENTCS. 2001, 55(2) Chen F, Roşu G. Mop: an efficient and generic runtime verification framework. SIGPLAN Not. 2007, 42(10) Formal methods Guttag J., Horning J., Wing J. “Some Notes on Putting Formal Specifications to Productive Use.” Science of Computer Programming 2, no. 1 (October 1982): 53–68. Wing, Jeannette M. “A Specifier’s Introduction to Formal Methods.” Computer 23, no. 9 (1990): 8–23. Amnon H Eden, Department of Computer Science, University of Essex

Download ppt "Security Pattern Assurance through Round-Trip Engineering"

Similar presentations

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
1. 2 Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making,

1. 2 Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making,
Hydra (A General Framework for Formalizing UML with Formal Languages for Embedded Systems*) *from the Ph.D. thesis of William E. McUmber Software Engineering.

Hydra (A General Framework for Formalizing UML with Formal Languages for Embedded Systems*) *from the Ph.D. thesis of William E. McUmber Software Engineering.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Modelling small programs Modelling large programs Modelling application frameworks Modelling design patterns Object-Oriented Modelling in LePUS3 and Class-Z.

Modelling small programs Modelling large programs Modelling application frameworks Modelling design patterns Object-Oriented Modelling in LePUS3 and Class-Z.
Object-Oriented Analysis and Design

Object-Oriented Analysis and Design
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
2 Object-Oriented Analysis and Design with the Unified Process Objectives  Explain how statecharts can be used to describe system behaviors  Use statecharts.

2 Object-Oriented Analysis and Design with the Unified Process Objectives  Explain how statecharts can be used to describe system behaviors  Use statecharts.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
1 Objectives To introduces the concept of software Design. To introduce the concept of Object- Oriented Design (OOD). To Define various aspects about object.

1 Objectives To introduces the concept of software Design. To introduce the concept of Object- Oriented Design (OOD). To Define various aspects about object.
21-February-2003cse403-14-Architecture © 2003 University of Washington1 Architecture CSE 403, Winter 2003 Software Engineering

21-February-2003cse Architecture © 2003 University of Washington1 Architecture CSE 403, Winter 2003 Software Engineering
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
Using Architecture Frameworks

Using Architecture Frameworks
Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design

Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design
Java Programming, 3e Concepts and Techniques Chapter 1 An Introduction to Java and Program Design.

Java Programming, 3e Concepts and Techniques Chapter 1 An Introduction to Java and Program Design.
CS 290C: Formal Models for Web Software Lecture 6: Model Driven Development for Web Software with WebML Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 6: Model Driven Development for Web Software with WebML Instructor: Tevfik Bultan.

Similar presentations

Ads by Google